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191270 tf 0 327 02:44 : 217: 15AM / 1:15AM Archi TIFF Image Picture 
191271 tf 3 : 17:15AM 15AM 0 3 Archiv TIFF Image Picture 
WAG Batcho2s © 191272 | tif 3 2 28 17:16AM — 10/28/20 ! 52 File, Deleted, Archive TIFF Image Picture 
BIG Batcho2s 191273 | tf 3 44:32PM 10/28 17:16AM 16AM 04/25/21 03:44: 90,075 File, Deleted, Archiv TIFF Image Picture 
191274 tif 44:3 44:32PM 17:16AM 0 M 04/25/21 03:44:21PM 80 File, Deleted, Archiv TIFF Image Picture 
191275 | tf / 44:32PM / 17:17AM :17AM 04/25; 44:21PM ,751 File, Deleted, Archiv TIFF Image Picture 
191276 tf 3/03/ 3 1.02:44:32°M 17:17AM — 10/28/20 17AM 04/25/21. 03:44:21PM 404,390 File, Deleted, Archiv TIFF Image Picture 
191277 tf / 2 5/21 02:44:329M / 17:18AM — 10/28/20 10:17:18AM _04/25/2103:44:21PM 21 File, Deleted, Arch TIFF Image Picture 
191278 tf 3/03/ 2 03/21 02:44:32PM — 10/28/20 10:17:18AM —_10/28/ 6:18AM 04/25/21.03:44:21PM 388, 107 File, Deleted, Archive TIFF Image Picture 
191279 tf / 3 03/03/2102:44:32PM —_10/ 7:19AM —10/ 04/25/21 03:44:21PM 413,468 File, Deleted, TIFF Image Picture 
191280 tf 321.02: 0 02:44:32PM — 10/2 :19AM 10/28/20 04/25/21 03:44:21PM 392,154 File, Deleted, Archiv TIFF Image Picture 
191281 tf 32PM 03/03/21 02:44:322M : 7:19AM — 10/28/20 10 04/25/21 03:44:21PM 390,951 File, Deleted, Archiv TIFF Image Picture 

191282 tf 21. 02:44:32 3442 : M 10/28/20 10: 04/25/21 03:44:21PM 362,76 Deleted, Archiv TIFF Image Pic 

£ JG Batchosi 191283 | tif 2:32PM —03/03/2102:44: 1AM 3/20 10:17: 04/25/21 03:44:21PM 374,380 File, Deleted, Archiv TIFF Image Pictu 

IG Batcho32 191284 tf 3/21 02:44:32PM 44:3; 10/28/20 10:17:214M : 04/25/21 03:44:21PM Archiv TIFF Image Picture 
OIG Batehos2 191285 tf 03/03/21 02:44:32PM / 10/28/20 10:17:22AM 10/28/20 10:17: 04/25/21 03:44:21PM y ; Ard TIFF Image Picture 
y 033 191286 tf /21.02:44:32PM 10/28 17:22AM 10/28/20 10:17:22AM 04/25/21 03:44:21PM TIFF Image Picture 
191287 tf 232M : 21722 10/28/20 10:17:22AM —04/25/21.03:44:21PM 413,681 File, Deleted, A TIFF Image Picture 
191288 tf 44:32PM 0/28 :17:23AM 10/28/20 10:17:2 2 : 390,709 File, Deleted, TIFF Image Picture 
191289 | tif 3 :32PM : :17:23AM 10/28/20 10: 370,453 File, Deleted, A TIFF Image Picture 
191290 tif 2102:44:32PM 10/28/20 10:17:244M 04/25/21 03: 402,494 File, Deleted, Archiv TIFF Image Picture 
191291 | tf [21 02:44:32PM 1/28/20 10:17: 10/28/20 10:17:24AM 04/25/21 03: 384,332 File, Deleted, Archiv TIFF Image Picture 
191292 | tf /03/21 02: 3/21 02: 7:244M — 10/28/20 10:17:24AM 04/25/21 03:44: 391,785 File, Deleted, Archi TIFF Image Picture 
191293 | tf 02:44:37) 8; 17:43AM — 10/28/20 10:17:43AM 04/25/21 03:44:21PM 7,820 File, Deleted, Arch TIFF Image Picture 
191294 tf 3 03/03/ / 17:43AM — 10/28/20 10:17:43AM 04/25/21 03:44:21PM 98,708 File, Deleted, Ard TIFF Image Picture 
191295 tf 03/03/21 02:44:32PM 10/28/20 10:17:20AM 04/25/21 03:44:21PM 381,020 File, Deleted, Archi TIFF Image Picture 
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Description Pere 


Signature 


Hp GQ Batcho20 


(E] Text Hex |4)Doc +!) Transcript |: Picture! =]Report 2] console @ Details i! Ou ]Lock [J Codepage [(] 0/656149 4 EnScript tits “V7 Filters |( Conditions| :% Display 2] Queries A 


Search Filenames 


Ny ezene Senate Audit 
Failure to Preserve Operating 


System masts 
*Logs Produced By yan a Dig. giot an the 


¢Clear Intentional overwriting ‘OF the Security he = the 
EMSADMIN Account 
¢ 2/11/2021 - 462 Log Entries Overwritten 
¢ 3/3/2021 - 37,686 Log Entries Overwritten 
¢ 4/12/2021 - 330 Log Entries Overwritten 


\rizona Senate Audit 


General Election Results Purged 
from EMS 


¢ 2/1/2021 - SQL Logs Indicate 
Account Purged the General- 
Database 


4DA1500D-7B7D-4437-88EC-492C 79DAF75B Admin User initiates the Close Project activity LDO1 
76B314A4-600D-4' 5D-818D448F5203 RTRAdmin Project 20201103 General opened LDO1 
ABOEF054-F8C5-4217-A0B4-5BC20566F1AE RTRAdmin fity LDO1 
36615BC3-F4FS-4E6D-92A0-560C2DCFE45F RTRAdmin User initiates the OnPurgeResults activity LDO1 
D839A42C-16, RTRAdmin User initiates generation of password. LDO1 
EDAC3600-09 A; 8B793 RTRAdmin PurgeResultsCommand {execution duration: 76478ms):All result files from database were deleted. LDO1 NU 02-01 17:16:27.810 
39B7BDFD-BE64-4501-SBFF-CCCECFFSE2A0 RTRAdmin PurgeResultsCommand {execution duration: 288779ms):The result files database, result files and images from NAS were deleted. Purging of results has finished successfully LDO1 NU 1-02-01 17:20:00.097 
036292E2-0F 66-4F30-9308-6E 1D55377B97 RTRAdmin User initiates the Hection Summary Report activity LDO1 02-01 17:21:55.173 


ra 
2... 
2. 
2. 
2... 
ois: 
rte 
2... 
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Anonymous Logins 


¢*Some Anonymous Login 
¢Atypical Anonymous Logins 


Event 4624, Microsoft Windows security auditing x 


Event 4624, Microsoft Windows security auditing. 


| General | Details 
General Details 


An account was successfully logged on 


An account was successfully logged on. 
Subject: 


eS NULL SID Subject: 
Account Domsin Security ID: NULL SID 
Logon ID: Ox Account Name: - 
Account Domain: - 
Logon Type 3 Logon ID: 0x0 
impersonation Level: Impersonation iogon ape 3 
New Logon: 
Security ID ANONYMOUS LOGON Impersonation Level: Impersonation 
Account Name: ANONYMOUS LOGON 
Account Domain: NT AUTHORITY 
Logon ID: OxBAFF32 
Logon GUID: {00000000-0000-0000-0000-000000000000) 


New Logon: 
Security ID: ANONYMOUS LOGON 
Account Name: ANONYMOUS LOGON 
Process information: Account Domain: NT AUTHORITY 
Process ID; Ox Logon ID: Ox2ACBE 
Process Name: Logon GUID: {00000000-0000-0000-0000-000000000000} 


Network Information: 
Workstation Name DESKTOP. Process Information: 
Source Network Address; 192.168 Process ID: 0x0 
Source Port: 61322 Process Name: - 


Detailed Authentication Information: Network Information: 


Logon Process bce NtLmSsp Workstation Name: - 


Source Network Address: - 
Log Name: Security Source Port: - 
Source Microsoft Windows security Logged: 8/27/2021 11:02:02 AM 
Event ID: 4624 Task Categore Logon Detailed Authentication Information: 

Logon Process: NtLmSsp 
Authentication Package: NTLM 


Level Information Keywords Audit Success 


User N/A compute 


OpCode Info 


Log Name: Security 
Source: Microsoft Windows security Logged: 2/10/2021 4:07:19 PM 
Event ID: 4624 Task Category: Logon 


More [nformation 


Level: Information Keywords: Audit Success 
User: N/A Computer: EMSSERVER 
OpCode: Info 


More Information: 


ae Senate Audit 
EMS Listening Ports 


¢Analysis Discovered 59 Pt rts Taaes per on the 
EMS Server at Boot eee 
¢Unexpected High Port Listening Ac vity by . 
Windows Processes (winit. exe, dns.exe, | 
°IPV6 Enabled — oe ere seen soe seen peeseereentre =o 
¢Terminal Services are Enabled 
*Remote Access Is Enabled 


Ne Senate Audit 
EMS Network Connection Attempts 


on Boot 


Process File Path rocess DT [Dest Port. | Whois 
aaa a eae : _-_- _ N/A Local Lan 


c:\program files\avast software\ 


avastsvc.exe ; 
avast business\avastsvc.exe 


c:\program files\avast software\_} 
avast business\avastsvc.exe = |= 


fete oc winters aSineccieneas == aeons ee | geese 
[svchost.exe |eiwindowsisystema2\svchostexe| 988 _[2a9a2a2.a0a] a0 | Akamai —_—d 


avastsvc.exe 


T suchostexe |c\windonsisystema2\svchostexe] 988 | 82a0.aa254 | 80 | Level 3Parent uC 
F svchost.exe |iwindowsisystema2evchostexe| 988 | €.252.36126 | 60 | Level Parent, ULC 


, c:\program files (x86)\common ; 
jusched.exe files\java\java update\jusched.exe 4680 184.86.196.202 443 Akamai 
c:\program files\avast software\ 
aS eee avast business\ 8092 104.99.72.230 Akamai 
avastemupdate.exe 
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Internet ee and Connections 


History = 
¢ Significant Internet. History R 
S Pa ce eee. = ae = ae = = ae goo ies 
*EMS Server a Berens oie = oe 
¢ EMS Client Workstations : 
¢ Adjudication Workstations 
*REWEB 1601 
*REGIS 1202 
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EMS Server 


Date Visited [Local] 
2021-02-02 00:17:30,906 2021-02-01 17:17:30.906 


2021-02-02 00:17:33,935 2021-02-01 17:17:33,935 


1 https://az700632. vo.msecnd.net/pub/ExtMar /CompatList/CompatibilityList.xml.errormarker 


2 https://az700632. vo.msecnd.net/pub/ExtMar /CompatList/CompatibilityList. xml.errormarker 
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“EMS Client 1 


Date Visited [UTC] 

02/07/2020 20:02:19 
02/22/2021 23:08:13 
02/07/2020 20:00:53 


Date Visited [UTC] 

10/30/2019 17:00:49 
10/30/2019 17:00:54 
10/30/2019 17:00:58 
10/30/2019 17:01:46 
10/30/2019 17:01:50 
10/30/2019 17:02:02 
10/30/2019 17:02:46 
10/30/2019 17:03:38 
10/30/2019 17:03:46 
10/30/2019 17:03:51 
10/30/2019 17:04:00 


10/30/2019 17:04:21 


Date Visited [Local] 

02/07/2020 13:02:19 
02/22/2021 16:08:13 
02/07/2020 13:00:53 


Date Visited [Local] 

10/30/2019 10:00:49 
10/30/2019 10:00:54 
10/30/2019 10:00:58 
10/30/2019 10:01:46 
10/30/2019 10:01:50 
10/30/2019 10:02:02 
10/30/2019 10:02:46 
10/30/2019 10:03:38 
10/30/2019 10:03:46 
10/30/2019 10:03:51 
10/30/2019 10:04:00 
10/30/2019 10:04:21 


"Visits 


* URL 


http: //www.bing.com/search?q=192. 138. 100. 11&src=IE-SearchBox&FORM=IE11SR&pc=EUPP _ 


https: //go.microsoft.com/fwlink/?LinkId=838604 


http://192. 1 
http://192. 
http://192. 1 
http://192. 


http: //192. 
http: //192. 


http: //192. 1 


http://192. 
http://192. 
http://192. 


http: //192. 1 


http: //192. 


100. 
. 100. 
. 100. 
. 100. 
. 100. 


11/p_preference. html 
11/m_network. html 
11/m_network_tcpip.html 
11/m_system.html 


11/m_security.html 


.11/m_network_ethernet.html 


.11/m_network_ipv4.html 


.11/m_network_snmp.html 


.11/m_network_port.html 


.11/m_network_port_edit.html 


.11/m_network_starttime.html 


.11/m_network_wirelesslan.html 


emsadmin01 


emsadmin01 


emsadmin0 1 
emsadmin0 1 
emsadmin0 1 
emsadmin0 1 
emsadmin0 1 
emsadmin0 1 
emsadmin0 1 
emsadmin0 1 
emsadmin0 1 
emsadmin0 1 
emsadmin0 1 


emsadmin01 
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EMS Client 3 


Date Visited [UTC] Date Visited [Local] : " URL " User 


08/06/2019 16:26:03 08/06/2019 09:26:03 http: //192. 168. 100. 11/portal_top.html emsadmin0 1 
08/06/2019 16:26:01 08/06/2019 09:26:01 http: //192. 168. 100. 11/ emsadmin0 1 
08/06/2019 16:26:03 08/06/2019 09:26:03 http: //192. 168. 100. 11/portal_top.html emsadmin0o 1 
08/06/2019 16:26:03 08/06/2019 09:26:03 http: //192. 168. 100. 11/portal_top.html emsadmin0 1 
08/06/2019 16:26:01 08/06/2019 09:26:01 http: //192. 168. 100. 11/ emsadmin0 1 
08/06/2019 16:26:13 08/06/2019 09:26: http: //192. 168. 100. 11/ emsadmin0 1 
08/06/2019 16:26: 08/06/2019 09:26: 3 http://192. 168. 100. 11/checkLogin. cai emsadmin0 1 
08/06/2019 16:26: 08/06/2019 09:26:27 http://192. 168. 100. 11/portal_top.html emsadmin0 1 
02/04/2021 00:36: 02/03/2021 17:36:19 https: //go.microsoft.com/fwilink/?LinkId=838604 emsadmin03 
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REWEB1601 


Date Visited [UTC] Date Visited [Local] y Visits URL 

01/17/2020 17:16:09 01/17/2020 10:16:09 https: //global. fncstatic.com/static/isa/core.js?v=20200 116173547 

01/17/2020 17:16:09 01/17/2020 10:16:09 https: //static. foxnews.com/static/orion/scripts/core/ag.core.js?v=20200116 173547 

01/17/2020 17:16:09 01/17/2020 10:16:09 https: //static. foxnews.com/static/orion/html/video/iframe/vod.html?v=20200 116173547 

01/17/2020 17:16:09 01/17/2020 10:16:09 https: //static. foxnews.com/static/orion/html/video/iframe/vod.html?v=20200 116173547 serveradmin 
01/17/2020 17:16:09 01/17/2020 10:16:09 https: //static. foxnews.com/static/orion/styles/ima/core/s/ba/close.svg 

01/17/2020 17:16:09 01/17/2020 10:16:09 https: //static. foxnews.com/static/orion/scripts/core/components/loader .newsletter.xdcomm.js?v... 

01/17/2020 17:16:09 01/17/2020 10:16:09 https: //ajax.googleapis.com/ajax/libs/jquery/1. 11.2/jquery.min.js 

01/17/2020 17:16:09 01/17/2020 10:16:09 https: //ajax.googleapis.com/ajax/libs/jquery/1. 11.2/jquery.min.js 

01/17/2020 17:16:09 01/17/2020 10: https: //my.foxnews.com/js/bootstrap.js 


01/17/2020 17:16:08 01/17/2020 10: https: //static. foxnews.com/static/orion/scripts/core/templates/ag.app.js?v=20200116173547 


01/17/2020 17:16:08 01/17/2020 10:16:05 https: //static. foxnews.com/static/orion/scripts/core/ag.core.js 


01/17/2020 17:16: 01/17/2020 10:16: https: //static. foxnews.com/static/orion/scripts/core/templates/app/iframe.html?v=20200 116173... 


01/17/2020 17:16: 01/17/2020 10:16: https: //static. foxnews.com/static/orion/scripts/core/templates/app/iframe.html?v=20200116173... serveradmin 
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REGIS 1202 


Date Visited [UTC] 

11/25/2019 14:50:28 
11/25/2019 14:50:27 
11/25/2019 14:49:58 
11/25/2019 14:49:57 
11/25/2019 14:48:37 
11/25/2019 14:48:29 
11/25/2019 14:48:29 
11/25/2019 14:48:29 
11/25/2019 14:48:29 
11/25/2019 14:48:29 
11/25/2019 14:48:29 
11/25/2019 14:48:13 


11/25/2019 14:48:13 


Date Visited [Local] 

11/25/2019 07:50:28 
11/25/2019 07:50:27 
11/25/2019 07:49:58 
11/25/2019 07:49:57 
11/25/2019 07:48:37 
11/25/2019 07:48:29 
11/25/2019 07:48:29 
11/25/2019 07:48:29 
11/25/2019 07:48:29 
11/25/2019 07:48:29 
11/25/2019 07:48:29 
11/25/2019 07:48:13 


11/25/2019 07:48:13 


vr 


Visits 


* URL 

3. https: //156.42.40.59: 
https: //156.42.40.59: 
https: //156.42.40.59: 
https: //156.42.40. 59: 
https: //156.42.40.59: 
https: //156.42.40.59: 
https: //156.42.40.59: 
https: //156.42.40. 59: 
https: //156.42.40.59: 
https: //156.42.40.59: 
https: //156.42.40.59: 
https: //156.42.40.59: 
https: //156.42.40.59: 


1311/OMSALogin?msgStatus =null 
1311/LoginServiet? flag =true &managedws=true 


1311/OMSALogin?msaStatus =false&PasswordEmpty =false 


1311/omalogin.html?msaStatus =false&manageDWS =true&PasswordEmpt... 


1311/OMSALogin 
1311/oma/js/anavbar.js 
1311/oma/js/Clarity.js 
1311/oma/js/prototype.js 
1311/oma/css/masthead.css 
1311/oma/css/common.css 
1311/oma/js/favicon.js 
1311/OMSALogin 


1311/OMSALogin 


T 


User 

serveradmin 
serveradmin 
serveradmin 
serveradmin 


serveradmin 


serveradmin 


serveradmin 
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